Set-acl Removing an Permission

-

hi,

i'm having extreme difficulty trying remove permission, , i'm not sure how, 

i get-acl 

path   : microsoft.powershell.core\registry::hkey_current_user\test owner  : domain\steve group  : domain\domain users access : domain\steve deny  setvalue      #(remove one)#          domain\steve allow  fullcontrol          nt authority\system allow  fullcontrol          builtin\administrators allow  fullcontrol          nt authority\restricted allow  readkey          application package authority\all application packages allow  readkey


currently using script try , modify "domain\steve" setvalue deny allow

cd "hkcu:\test" 	$acl = get-acl . 	$arguments = "domain\steve","setvalue","allow" 	$accessrule = new-object system.security.accesscontrol.registryaccessrule $arguments 	$acl.setaccessrule($accessrule) 	$acl | set-acl . get-acl . | fl

i'm pretty sure there 1 line in here wrong, not mind removing either, below it, there full control anyways applied, seems explicity set deny setvalue.

i've googled everywhere , used every possible combination in terms of inheritance , override.

i think maybe contributing error?

set-acl : requested registry access not allowed. @ line:6 char:9 +     $acl | set-acl . +            ~~~~~~~~~     + categoryinfo          : permissiondenied: (hkey_current_us...docx\userchoice:string) [set-acl], securityexception     + fullyqualifiederrorid : system.security.securityexception,microsoft.powershell.commands.setaclcommand




there 2 problems that need solved in situation:

  1. how make the dacl way want to. -> modify -> set pattern that .net uses means can whatever want security descriptor. have copy of in memory, can make without worrying damaging real 1 protects registry key (at least until call set-acl , save it)
  2. how save modified security descriptor

let's @ #1 first. you're creating ace , calling setaccessrule() it. setaccessrule() replace aces match type (allow, deny, audit) , principal (domain\steve in case). reference ace 'allow' ace 'domain\steve', final dacl still have original 'deny' ace, along new 'allow' ace. looking on last few sentences gives me headache, know you're doing right adding new 'allow' ace while keeping 'deny' is.

what might looking resetaccessrule(), remove dacl aces match reference ace's principal, add reference ace. in example, remove ace denies 'setvalue', remove ace allows 'fullcontrol'. you'd end single ace allowed 'domain\steve' have 'setvalue' access after method finished, , don't think that's you're looking for, either. 

here few examples of ways i'd try remove deny ace:

# remove 'deny' aces 'domain\steve'. aces removed don't have # contain 'fullcontrol', , inheritance , propagation flags don't have match: $acl.removeaccessrule((new-object system.security.accesscontrol.registryaccessrule(     "domain\steve",     "fullcontrol",     "objectinherit, containerinherit",     "none",     "deny" )))  # leave dacl has single 'domain\steve' ace: 1 grants full control: $acl.resetaccessrule((new-object system.security.accesscontrol.registryaccessrule(     "domain\steve",     "fullcontrol",     "containerinherit",     "none",     "allow" )))

there more ways handle this, too, started. while playing around different modification methods, can check out in-memory dacl looks doing this:

$acl.access | format-table

now #2. don't think set-acl going able handle this. in example, 'deny' ace wouldn't removed, shouldn't error set-acl producing if you're running 'domain\steve'. not user have 'fullcontrol' rights on key, owner. 'steve' should capable of doing whatever wants dacl without elevating, it's not working set-acl. instead, you'll need use setaccesscontrol() method of registrykey object (and it'll ugly because of way need open key):

# instead of set-acl, this: [microsoft.win32.registrykey]::openbasekey(     "currentuser",  # hive, in case hkcu:     "default" ).opensubkey(     "test",         # subkey name, in case 'test'     "readwritesubtree",      "changepermissions" ).setaccesscontrol($acl)

so, native powershell should able need do. if you're looking easier way, though, can suggest powershell access control module? it's module i've been working on (i hope) makes type of thing easier do. if version 4.0, instead:

# remove 'deny' ace 'domain\steve' remove-pacaccesscontrolentry hkcu:\test -principal domain\steve -acetype deny -registryrights fullcontrol #-force



Windows Server  >  Windows PowerShell



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more